Happy to see acknowledgment that some people don’t read email on every device they use.
A number of times I’ve signed up on a site where the account can’t be logged into until the verification link comes through e-mail, and the e-mail either never arrives or comes with significant delay (20-60 minutes). If I had to go through that every time I logged in, I would not use that site.
That was the kind of insight I was blind to and looking for from writing this article. Thanks =)
even if you rarely logged in, because the site allows you to stay logged in?
Some people choose not to stay logged in to every site all the time. Either by logging out when done, or just blunt daily cookie clearing.
If we’re starting a list of people who clear their cookies regularly, I’m on it. Irregularly, but on average every other day or so. Cookies accumulate a lot of tracking information very fast, so it’s only reasonable to wipe them regularly.
I noticed that Telegram uses a similar login mechanism. The first device you set up requires that you can receive a text at the phone number you chose. Each additional device requires you to use one of your already configured devices to approve the access.
I don’t mind this trend.
This fails to address the key security issues homakov failed to address when he proposed the same thing:
Email is not secure by design. It can be secure but it isn’t in all cases. This solution basically pushes the security requirements onto email services, with a “not my problem bro”
If someone breaches your mailbox, they can have persisted access to this service without you knowing. The password reset attack vector means you will know about any breach because you won’t be able to login with your existing credentials.
Also, claiming that password managers could be replaced by a browser extension (that doesn’t exist currently) is like saying I don’t need a scuba tank, I could breathe underwater with a set of gills transplanted from a shark, if only someone would invent that procedure.
This also doesn’t work well for mail servers that use grey listing, or for any of those times when traffic between the server, your email server and you is negatively affected
After some searching, I think you’re referring to https://sakurity.com/blog/2015/04/10/email_password_manager.html is that right?
With respect to pull-based breach detection, you bring up a good point. Although, it’s more of an afterthought for sites with a large turnaround time like ours (i.e. could be up to 7 days from last visit due to no job search activity). But in the general case, you’re right that this should be solved.
At its root, we want to tell the user things happened when they revisit the site (a pull-based notification if you will). What are your thoughts on a solution like listing new sessions on a per-device basis? (e.g. revisit site, receive standalone page saying to confirm all other new sessions are valid, happens on every device so 1 device can’t auto-approve all others)
Yes thats the post I’m referring to, which was followed by a lengthy back-and-forth on Twitter, where the author freely admitted that mailbox security isn’t fantastic, but that it isn’t his concern.
Honestly I don’t think saying “someone logged into your account from X, was this you?” is going to work. Most users will soon get so sick of the constant messaging they’ll just blindly click OK.
As I tried to explain to Homakov, passwords fundamentally do work - they just have shitty UX in most cases.
Try using Safari + iCloud Keychain for a few days. It’s a great example of how well a password manager can operate.
Alerts like this can still be helpful, as long as they’re infrequent - for example, only from devices you haven’t used before.
I’m confused where the repetition would come from such that users get complacent to the messaging. It should only be shown when there’s a new device login. We persist sessions for 2 weeks since its last activity and while our application has a large turnaround, it still should be within 2 weeks.
With respect to passwords fundamentally working/password managers, I think you might be missing the goal of this movement. While I use a password manager, I can’t enforce the average non-technical user to do the same. This movement is to minimize the impact of a leak because we don’t live in a perfect world and error-prone humans are the writing authentication code/maintaining the servers. If it were to catch on, then it would have a cascading effect where passwords are reserved for a handful of services (e.g. email providers) – enforced by the services themselves.
For reference, my search for “How common is password reuse” came up with this 2015 survey sampling 2030 US residents (unable to find anything larger). It shows 59% of people (in this sample set) reuse passwords.
I like this pattern, but I have also never successfully received a Slack magic link email. They simply don’t arrive.
Also vutuv uses the same login procedure.